# HG changeset patch # User IBBoard # Date 1614451186 0 # Node ID cd0e77678dca82ca55903970349e5b7def2518e5 # Parent 85a5a231b0b53f4a44a73dd07ad29ba687e49944 Block more SSH probe usernames from recent attack diff -r 85a5a231b0b5 -r cd0e77678dca modules/fail2ban/manifests/init.pp --- a/modules/fail2ban/manifests/init.pp Tue Feb 16 13:13:00 2021 +0000 +++ b/modules/fail2ban/manifests/init.pp Sat Feb 27 18:39:46 2021 +0000 @@ -94,9 +94,8 @@ '[0-9a-zA-Z]{1,3}', '([0-9a-z])\2{2,}', 'abused', - 'adm', 'Admin', - 'admins?[0-9]+', + 'admins?[0-9]*', 'administr[a-z]+', # administracion, administrador, administradorweb, administrator, etc 'admissions', 'altibase', @@ -106,9 +105,11 @@ 'anwenderschnittstelle', 'anonymous', 'ansible', + 'apache', 'aptproxy', 'apt-mirror', 'ark(server)?', + 'asdfas', 'asterisk', 'audio', 'auser', @@ -129,6 +130,7 @@ 'bkroot', 'blog', 'boinc', + 'bot', 'botmaster', 'bugzilla', 'build', @@ -147,6 +149,7 @@ 'cisco', 'clamav', 'cliente?[0-9]*', + 'CloudSigma', 'clouduser', 'com', 'comercial', @@ -163,11 +166,14 @@ 'daemon', 'danger', 'darwin', - 'dasuse?r', - 'data', + 'dasuse?r[0-9]*', + 'data(ba?se)?', + 'db2inst[0-9]*', + 'dbus', 'debian(-spamd)?', 'default', 'dell', + 'demo', 'deploy(er)?[0-9]*', 'desktop', 'developer', @@ -177,8 +183,10 @@ 'dietpi', 'discordbot', 'disklessadmin', + 'display', 'django', 'dmarc', + 'dpvirtual', 'dockeruser', 'dotblot', 'download', @@ -195,6 +203,7 @@ 'engin(eer)?', 'esadmin', 'events', + 'exploit', 'exports?', 'facebook', 'factorio', @@ -213,11 +222,13 @@ 'ggc_user', 'ghost', 'git(olite?|blit|lab(_ci)?|admi?n?|use?r)?', + 'glassfish', 'gmail', 'gmodserver', 'gnuhealth', 'gopher', 'government', + 'grid', 'guest', 'hacker', 'hadoop', @@ -236,6 +247,7 @@ 'iceuser', 'imscp', 'info(rmix)?[0-9]*', + 'inst[0-9]+', 'installer', 'inventario', 'java', @@ -263,6 +275,7 @@ 'lsfadmin', 'lynx', 'magento', + 'mail', 'mailer', 'mailman', 'mailtest', @@ -274,6 +287,7 @@ 'marketing', 'master', 'membership', + 'merlin', 'messagebus', 'minecraft', 'mirc', @@ -306,6 +320,7 @@ 'nginx', 'noc', 'node', + 'notes', 'nothing', 'NpC', 'nux', @@ -333,6 +348,7 @@ 'pentaho', 'php[0-9]*', 'platform', + 'play', 'PlcmSpIp(PlcmSpIp)?', 'plex', 'polkitd?', @@ -352,6 +368,7 @@ 'qhsupport', 'rabbit(mq)?', 'radiusd?', + 'raspberry', 'readonly', 'reboot', 'recording', @@ -368,12 +385,12 @@ 'rustserver', 'sales[0-9]+', 's?bin', - '(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|db)?(dev|use?r|server|man|manager|mgr)|account)[0-9]*', 'saslauth', 'scan(n?er)?', 'screen', 'search', 'sekretariat', + 'server', 'serverpilot', 'service', 'setup', @@ -388,7 +405,10 @@ 'smmsp', 'socket', 'software', + 'solr', 'solarus', + 'spam', + 'spark', 'speech-dispatcher', 'splunk', 'sprummlbot', @@ -404,7 +424,7 @@ 'superuser', 'suporte', 'support', - 'svn(root)?', + 'svn(root|admin)?', 'sybase', 'sync[0-9]*', 'sysadmin', @@ -419,11 +439,10 @@ 'tomcat', 'tools', 'toor', - 'ts[23](se?rv(er)?|(musi[ck])?bot|sleep)?', + 'ts[123](se?rv(er)?|(musi[ck])?bot|sleep|user)?', 'tss', 'tunstall', 'ubnt', - 'ubuntu', 'unity', 'universitaetsrechenzentrum', # University Computing Center 'upload[0-9]*', @@ -439,13 +458,17 @@ 'virusalter', 'vmadmin', 'vmail', - 'vscan', + 'vscan?', + 'vtms', 'vyatta', 'wanadoo', 'web', + 'webapp', 'weblogic', 'webmaster', 'webportal', + 'websync', + 'wiki', 'WinD3str0y', 'wine', 'wordpress', @@ -463,13 +486,21 @@ 'zabbix', 'zimbra', 'zookeeper', + # User/admin/other + '(api|appl?|ats|cam|cat|db|imap|is|my|virtual|vpn)?(admin|dev|use?r|server|man|manager|mgr)[0-9]*', + '(abc|account|git|info|redhat|samba|sshd|student|tomcat|ubuntu|web)[0-9]*', + # Names + '(aaron|david|james|tom|victor)[0-9]*', # And some passwords that turned up as usernames '1q2w3e4r', 'abc123', + 'letmein', '0fordn1on@#\$%%\^&', 'P@\$\$w0rd', 'P@ssword1!', - 'Passwd123', + 'Pa\$\$word_', + 'Passwd123(\$%%\^)', + 'password', 'pass123?4?', 'qwer?[0-9]+', ]